Summary
CSV export writes attacker-controlled fields directly into quoted CSV without CSV-safe escaping or formula neutralization.
Evidence
functions.php export blocks around:
Values are concatenated directly, including host/message/log text.
Risk
- Spreadsheet formula execution when cells begin with
=, +, -, @
- Broken CSV format for embedded quotes/newlines
Expected fix
- Use
fputcsv() (or equivalent robust escaping)
- Prefix dangerous leading formula characters with
'
- Preserve existing export columns/format semantics
Summary
CSV export writes attacker-controlled fields directly into quoted CSV without CSV-safe escaping or formula neutralization.
Evidence
functions.phpexport blocks around:800-807827-836Values are concatenated directly, including host/message/log text.
Risk
=,+,-,@Expected fix
fputcsv()(or equivalent robust escaping)'